How is Auditing Configured?

During system configuration, you preselect which classes of audit records to monitor. You
can also fine-tune the degree of auditing that is done for individual users.
The following figure shows details of the flow of Oracle Solaris auditing.

Figure 28-1 The Flow of Auditing

After audit data is collected in the kernel, plugins distribute the data to
the appropriate locations.

The audit_remote plugin sends binary audit records across a protected link to a remote repository.

For the audit_syslog plugin sends text summaries of audit records to syslog.

Systems that install non-global zones can audit all zones identically from the global
zone. These systems can also be configured to collect different records in the
non-global zones. For more information, see Auditing and Oracle Solaris Zones.